i got hacked. what were they up to?

thatguyiam · n00b Joined: 17 Nov 2004 Posts: 23

jkt --

You are correct. Although it is a bit of a grey area, legally. In the same way that in some areas, technically, it's illegal to fight back against someone physically beating you to a pulp. It's not advisable to try to counterhack someone, especially since they might be doing it from an (innocent) rooted box. One application of testing to see if the test:test works on an attacking computer is that if it does, it's probably a zombie box, and an e-mail sent to root@soandsoIP could alert them to their comprimised box. But as it's been said many times, that's a lot more effort than it's worth to help someone who doesn't have the sense to not have easily guessed passwords like that. I guess it's up to the user.

jkt · Posted: Mon Jan 24, 2005 4:22 pm Post subject:

Enigma_Man · n00b Joined: 20 May 2003 Posts: 55 Location: Massachusetts

jkt · Posted: Wed Jan 26, 2005 10:32 pm Post subject:

tryze · n00b Joined: 11 Jul 2002 Posts: 51

hi all! i hope this question is ok in this thread, but i just installed root-tail and from time to time i get an odd message which doesn´t tell me anything:

(user) /usr/sbin/cron[14433]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

does anyone know what this could be?

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

tryze · n00b Joined: 11 Jul 2002 Posts: 51

ah, to know what it is makes me feel much better ;-)

after appearing some time in a 10 min intervall and some other messages (cron.daily and so on) i supected something like this. im not that experienced with linux/gentoo yet, so i just asked...

thanks for the help!

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

sixshot · n00b Joined: 30 Apr 2004 Posts: 52

Okay, having peeked into my log twice, I'm starting to get very, if not absolutely, annoyed at the number of attempts. I plan on using http://www.404ster.com/sshblocks.php for starting out. But I'm wondering what http://www.blackholes.us/ is also used for, or what purpose it serves for us. The page doesn't seem to give out much details on what it's for other than being a listing of IP address ranges.

Also, the thing I'd like to know most is whether or not I should block specifically SSH connections from those ranges or block entirely. I ask this because I don't know where they lead to nor do I know if I, or someone in the family, happen to browse the web and stumble upon a website that coincidentally resolves to a blocked address. What is the best course of action?

Just in case if it's necessary, I've the latest version of Apache2 running to serve personal webpage. No telnet. OpenSSH is the only method to interactively login to the router box.
_________________
One shall stand. One shall fall.

cbock · Posted: Tue Feb 08, 2005 1:04 am Post subject:

this post should be required reading. i've had 6400+ failed logins since last july. wow.

i felt better after reviewing

dasalvagg · Apprentice Joined: 26 Jun 2002 Posts: 183 Location: NY

i've seen rootkits discussed here....here are a couple pointers in combating them

1. External filesystem. ps, top, ls, netstat etc. commands are often modified by a rootkit. Use the livecd or some other external known good filesystem to run chkrootkit. Your system will appear clean if chkrootkit depends on files that have been modified.

2. Turn off kernel modules. When an attacker tries to install a rootkit they will often try a kernel level attack. What happens is they modprobe a pre built kernel module that will modify system calls to the kernel or filesystem that can hide their files. Disabling kernel modules stops this.

3. Prepare with hashes. md5 your system using something like tripwire that will create a known good set of files. If you suspect you've been hacked compare the current md5s of your system with the previously made, good, md5s. Of course these md5s should be stored externally. An unmounted harddrive does NOT count as external.

4. Dont get hacked. Seems obvious but its the most important. A firewall should not be your total security solution. firewall + tripwire + nessus (to yourself) + hard passwords + ssh keys + chkrootkit regularly + checking syslogs + etc. The more you prepare the less likely you'll ever need to post here as say "I've been hacked"

russianpirate · Posted: Wed Feb 16, 2005 10:50 pm Post subject:

Does an inbound router and a firewall make it secure enough (noone can use the routers functions, but ping).. all ports are closed, no dmz, no redirections. The only way the data is going in, is if the firewall allows it (set up to allow on local in).. and if im requesting that data. My computer isnt accessible outside lan, only the router, and theres no way you can reconfigure it because there is no http configuring set, only from lan. I think you can safely skip the ssh, hard password (although i did set one thats pretty good lol), and everything else.

dasalvagg · Apprentice Joined: 26 Jun 2002 Posts: 183 Location: NY

There is a possibility still. Security holes do occasionaly, tho not often, pop up for firewalls. Rarely are they patched by home users that may have a linksys hardware firewall. They just dont know how. If you were rooted in some other way. For instance you install a program that has a root kit in it, then u're still hacked. A firewall will not block the person from gaining access to the rooted system. In this case the rootkit could "call home" or create a reverse shell where it would connect to the attackers box and allow commands to be sent back to yours. This works because the machine inside the firewall created the connection. Security is best done in layers....apply as many as possible without denying features/ability to use the system.

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

Your computer is never secure. You can unplug it from the internet to improve security. You can even switch it off. But someone can break into your house, steal the hard drive, unencrypt the encrypted file system, and, finally, read your e-mail. Big deal. This is obvious Fear, Uncertainty, and Doubt.

It is important to protect against automated random attacks. It's wise to use reasonable, and reasonably usable, defensive mechanisms like firewalls. But it's daft to make your own life impossible by getting obsessed. Also, the more obsessed you are, the more of an interesting target you are for determined crackers. I would bet that security-related websites get more attacks than most others (apart from Microsoft of course).

/dev/random · Posted: Mon Feb 21, 2005 2:06 am Post subject: Re: automated log scanners

dasalvagg · Apprentice Joined: 26 Jun 2002 Posts: 183 Location: NY

Not exactly what you're asking about, but check out port knocking. This techniques allows you to modify your currently running firewall based upon "knocking." The knocking daemon watches for a particular sequence of events, or knocks on the firewall then opens up a single port to the IP address that has performed the correct sequence. This of course is useless for public servers that have lots of anonymous users, however, it is potentially powerful was to disguise the existence of a server and provide more protection for critical services(ie. sshd into your webserver)

/dev/random · Posted: Mon Feb 21, 2005 3:12 am Post subject:

Well I did read all 10 pages before posting so I've seen this mentioned before but this machine is my desktop and an http/ftp server so I don't want to trade off too much usability just for some security. So I was hoping I could figure out a way to sort of halt these hacking attempts without limiting everything else.

astrodelgato · n00b Joined: 01 Jan 2004 Posts: 66 Location: Atlanta, GA

I believe

sinisterdomestik · l33t Joined: 28 Aug 2003 Posts: 685 Location: Texas

cbock · Posted: Fri Feb 25, 2005 2:30 am Post subject:

the easiest fix for me was changing my ssh port to something other than 22....

Zuti · Posted: Mon Feb 28, 2005 3:12 am Post subject:

If you must have sshd running (and on a home (desktop) box I honestly dont see the reason why you should) you could use a tool called portknocking.
check it out at http://www.portknocking.org

mathgeek · Posted: Mon Mar 07, 2005 11:26 am Post subject:

I have a box with fixed IP in my office. There are a lot of blunt ssh attempts in my logs, too. Thus, I reconfigured iptables so that the access to port 22 is only granted from certain ranges of IP addresses. Since I am the only user on this machine and since I have a strong password, this does little more than stop my logs from bursting. But it works, tough.
_________________
Gentoo can do.

vert · Posted: Sun Mar 13, 2005 8:34 pm Post subject:

Same here. But since I was interested in how often this occurs, I created a simple bash script that will email me at the end of the day if failed login attempts were detected during that day. It lists a summary of attempts per day (or ip). I get an email almost every day... For now my record stands at 400 attempts in one day! That was february 23, 2005. The most hits I had from one ip was 277 for 81.19.98.108.
Seeing the results, I quickly abandoned interactive logins and only use key files now.
So yeah, it does seem there are a lot of compromised boxes out there :wink:

WarMachine · Apprentice Joined: 15 Jul 2002 Posts: 181

Failed login attempts have completely ceased after I changed the config to listen on a much higher port number.

vert · Posted: Mon Mar 14, 2005 7:41 am Post subject:

Thought of that too, but I'm working in a lot in different places behind various firewalls, and usually only the common ports are open.
_________________
Myth on Gentoo